Thursday, April 29, 2010

Securing Java

http://www.securingjava.com/chapter-seven/chapter-seven-1.html

http://stackoverflow.com/questions/1935479/do-javas-inner-classes-pose-a-security-risk
This information is a around a decade out of date. The widespread use of anonymous inner classes with AccessController.doPrivileged should be a clue. (If you don't like the API, consider the proportion of try-finally blocks that are incorrectly missing in the JDK.)
The policy is that no two class can share the same package if they are loaded by different class loaders or have different certificates. For more protection, mark packages as sealed in the manifest of your jars. So, from a security standpoint, "Rule 4" is bogus

Sun's Secure Coding Guidelines for Java

http://java.sun.com/security/seccodeguide.html

ironic to see "Guideline 0-3 Avoid duplication" in above and yet
Duplicates abound in JDK 1.4 source code